It's important to protect your API from unauthorized access. One way to do that is to validate API keys (also called "public keys", "consumer keys" or "app keys").

The tutorial Create your first API: Step-by-step shows how to create an API proxy to access the Yahoo Weather service. In this tutorial, you create a new version of that API proxy that adds the VerifyAPIKey policy to the API proxy. The advantage of creating a new version of the API proxy is that Apigee Edge creates all of the policies necessary to enforce API keys for you.

If you already have an existing API proxy, you can add the VerifyAPIKey policy at any time. See Verify API Key policy for more.

When an app makes a request to your API, the app must supply a valid key. At runtime, the VerifyAPIKey policy checks the following:

That the API key is valid

That it hasn't been revoked

That it matches the API key for the API product that exposes the requested resources

If the key is valid, the request is allowed. If the key is invalid, the request results in an authorization failure.

Prerequisites for this tutorial

While it is not required, this tutorial assumes that you have completed the first tutorial, where you create an API proxy to access the Yahoo Weather service. If you have not yet completed that tutorial, see Create your first API: Step-by-step.

Step 1: Create an API proxy

Configure an API proxy for the Yahoo! Weather service. This repeats some of the same actions as in the tutorial Part 1: Create your API. However, you'll also add security to your API proxy in this step.

Step 3: Examine the generated policies

Because you chose the Secure with API Keys andImpose Quota per Developer options when you created the API proxy, Edge automatically added the following policies to your proxy:

Name

Policy Type

Description

Verify API Key

VerifyAPIKey

Verifies the API key for an API product, returns an error if it is invalid, and if it is valid, looks up the attributes from the API product.

Remove Query Param

AssignMessage

Modifies request messages in the API proxy flow to prevent the API key from being sent to the backend URL.

Impose Quota

Quota

Enforces a limit on the number of API calls made by apps over an interval of time

Open the API Proxy Editor by clicking the Develop button in the details page for the weatherapikey API proxy to open the API Proxy Editor.

On the left side of the API Proxy Editor, select PreFlow under Proxy Endpoints > default to show the generated policies in the Policy Designer.
For more information on Flows and Endpoints, see Understanding APIs and API proxies.

Select each policy to examine its settings.

Examine the VerifyAPIKey policy

The first policy to examine is the VerifyAPIKey policy, named Verify API Key. Typically, you want API key validation to happen as soon as a request is received by your API proxy. The PreFlow is always the first flow to execute at an endpoint, and the ProxyEndpoint is the first endpoint in the request pipeline. Because the VerifyAPIKey policy is the first policy in the PreFlow, the API key will be validated by the policy as soon as it's received by the API proxy.

Click the Verify API Key policy icon, and examine the XML for the policy in the Code view. You can also view the values for the policy's XML elements and attributes in the Property Inspector. The XML for the policy should look something like this:

Examine the AssignMessage policy

The next policy in the PreFlow is an AssignMessage policy named Remove Query Param apikey. The AssignMessage policy defines a set of elements that perform actions such as populating or modifying HTTP headers, query parameters, and XML or JSON payload content.

Examine the XML for the AssignMessage policy. The XML for the policy should look like this:

In this example, the policy uses a <Remove> element to remove the query parameter named apikey from the HTTP request message attached to the flow so it is not sent to the backend service. Only the VerifyAPIKey policy needs to be aware of the API key.

Examine the Quota policy

The final policy in the PreFlow is a Quota policy named Impose Quota. This policy enforces a limit on the number of API calls made by apps over an interval of time. The limit can be set in the policy, or in the API product that contains this API proxy. For example, you may want to limit apps to 1 request per minute, or to 10,000 requests per month.

Examine the XML for the Quota. The XML for the policy should look like this:

The <Allow> element of the Quota policy sets values for the maximum count of messages for the quota (2000). The <Interval> and <TimeUnit> elements specify the time interval as 1 month. The policy also references variables that are populated by Edge when the VerifyAPIKey policy is enforced. These values take precedence over the values set in the policy. For example, the following specifies a maximum message count for the quota based on the limit set in the API product that is used in validating the request:

Step 4: Request the Yahoo Weather API by using your Edge API proxy

Now that you have an API proxy for the Yahoo Weather API, you can make requests to it through Apigee Edge. The first thing you need to determine is the complete URL of the resource of the API proxy that you want to access. That URL has the form: